U.S. Marshals Service hacked in ‘major incident’

Mario Tama/Getty Images

Kirsten Errick By Kirsten Errick,
Staff Reporter, Nextgov

By Kirsten Errick

|

This is the second time the agency has been hacked in recent years, adding to a growing number of agencies that have experienced cybersecurity incidents.

The U.S. Marshals Service was hacked earlier this month, compromising sensitive information, an agency spokesperson confirmed Tuesday.

The Marshals Service is a division of the Justice Department responsible for protecting judges, transporting federal prisoners and operating the witness protection program. 

The incident was discovered on Feb. 17, when the agency found “a ransomware and data exfiltration event affecting a stand-alone USMS system,” which was then disconnected from the network, the spokesperson told Nextgov in an emailed statement. 

The breached system—which did not affect the witness protection database—contains “law enforcement sensitive information, including returns from legal process, administrative information and personally identifiable information pertaining to subjects of USMS investigations, third parties and certain USMS employees,” the spokesperson noted.

The Justice Department is investigating the incident, which was first reported by NBC on Monday. The investigation and remediation efforts are ongoing.

“We are working swiftly and effectively to mitigate any potential risks as a result of the incident,” the spokesperson added.

On Feb. 22, after being briefed on the matter, officials determined that the hack constituted a “major incident”—requiring the agency to notify Congress.

“The US Marshals data breach is another example of how cybercriminals aim for identities—the most common threat target,” Lior Yaari, CEO and co-founder of Grip Security told Nextgov in an emailed statement. “In this case, attackers were able to exfiltrate and add to the identity fabric for individuals in the USMS system, including prisoners. We continue to see how the identity fabric is the new frontline, and defenders are racing against adept threat actors seeking to contaminate and compromise it. Compromised identities give cybercriminals an embedded position in identity fabric, thereby extending their presence anywhere and everywhere the identity goes.” 

This is the second time the agency has experienced an attack in recent years. The Marshals Service was hacked towards the end of 2019—which came to light in May 2020—in an incident that exposed the personal information of approximately 387,000 prisoners. This prior hack impacted the DSNet system, which houses and transports prisoners within the agency, federal courts and Bureau of Prisons. 

Despite efforts like President Joe Biden’s May 2021 executive order to bolster national security, there is a growing list of agencies experiencing cybersecurity incidents, including the Office of Personnel Management, the Justice Department, the U.S. Agency for International Development and others, as well as other breaches impacting the commercial software purchased by various agencies.

“Last week the DOD confirmed that a server with sensitive information was left exposed to the internet for weeks. Shortly before the DOD incident we saw the FBI hacked by an adversary, and now the U.S. Marshals Service has suffered a major cybersecurity incident,” Eric Noonan, founder and CEO of CyberSheath told Nextgov in an email statement. “We need to be asking three simple and critical questions of our federal government agencies, especially as the government forces their suppliers, the hundreds of thousands of contractors who support these agencies, to meet mandatory cyber security minimum standards. First, what standard is the federal government aspiring to comply with? Second, where are they in their journey to get compliant with that standard? Finally, when will they be compliant with the chosen standard? Look, cybersecurity is complex but it’s not always hard. Pick a standard or set of cybersecurity best practices, work to implement that standard, measure your progress as you go. Basically that’s what President Biden’s executive order on cybersecurity called for and he was right, but it doesn’t look like we are making the progress we should be.”

“The real impact of an attack like this is the malicious use of data that the attackers collected,” Joel Bagnal, director of federal at SpyCloud, told Nextgov in a statement. “This data can have a lasting impact and cause damage far beyond the initial incident. Ransomware operators have become more sophisticated, and have started outsourcing parts of their campaigns, including access they’ve gained. Using malware to siphon credentials, system info and cookies, attackers can sell this information to ransomware syndicates to perform additional attacks.

Bagnal noted that according to “SpyCloud analysis of billions or recaptured data assets from the dark web in 2021 alone, .gov accounts had a 60% password reuse rate.”

That analysis also found that the most reused plaintext password was “password.” 

“To prevent further damage, individuals within a targeted organization should consider resetting passwords and invalidating sessions for critical workforce applications that could be compromised. This enables security teams to quickly remediate much more than the infected device, re-securing affected applications and closing entry points for additional ransomware attacks,” Bagnal said.

NEXT STORY: White House to officially ban TikTok from government devices within 30 days

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.